Vulnerability Description
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pingidentity | Pingid Integration For Windows Login | < 2.8 |
Related Weaknesses (CWE)
References
- https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.htmlRelease NotesVendor Advisory
- https://www.pingidentity.com/en/resources/downloads/pingid.htmlProductVendor Advisory
- https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.htmlRelease NotesVendor Advisory
- https://www.pingidentity.com/en/resources/downloads/pingid.htmlProductVendor Advisory
FAQ
What is CVE-2022-23719?
CVE-2022-23719 is a vulnerability with a CVSS score of 7.2 (HIGH). PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machin...
How severe is CVE-2022-23719?
CVE-2022-23719 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23719?
Check the references section above for vendor advisories and patch information. Affected products include: Pingidentity Pingid Integration For Windows Login.